March 24, 2014 By Rick Robinson 3 min read

As industry and government assess the use of the cloud for the storage of data and the hosting of everything from infrastructure to applications, we are all working diligently to provide cloud encryption and make the cloud secure. But I want to take a step back and ask a possibly redundant question: What makes us believe we can make the cloud secure?

To find the answer, we should consider whether we have ever faced a challenge that is similar to securing the cloud; if so, we must examine the outcome. What was the approach to security? What was the presumptive theory that was the basis of the security strategy? Are we reinventing the wheel, or is there something from history that can tell us we should consider a different direction?

One way to tell whether cloud solutions are likely to be secure is to view them from the perspective of a historical linguist and cryptographer of the 19th century.

Look to Kerckhoffs for Cloud Encryption

Auguste Kerckhoffs was a Dutch linguist and cryptographer who lived in the 19th century and wrote an essay entitled “La Cryptographie Militaire” (Military Cryptography). Within this essay and other articles, he advocated that a practical cipher design should consist of six principles. One such principle, now known as Kerckhoffs’ principle, states that “the design of a system should not require secrecy, and compromise of the system should not inconvenience the correspondence.”

In other words, a secure system does not have to be secret to be secure. The only thing that should give a user access to the information within the system should be the key.

Think about that. If Kerckhoffs was correct — he presumably was and still is — it means that, in order for the cloud to be secure and provide cloud encryption, nothing about how the cloud is deployed or configured should give an attacker an advantage. The only thing that should allow a user access to the data in the cloud should be having access to the keys; that, by Kerckhoffs’ principle, is a secure cloud.

To simplify the matter further, this means that when we look at cloud encryption and security strategies, we must talk about good, fundamental key management strategies. The reason for this is that, to make your cloud security strategy pass the litmus test of Kerckhoffs’ principle, you must have key management that is a fundamental technical control for restricting access to the data. This is the same strategy that we use when you park your car, leave your house, close your office, close your desk, log out of your computer or a myriad of other activities that we do on a daily basis. We keep our keys with us, even though our “stuff” is somewhere else.


Keepers of the Keys

We all know Clouds come in many forms, including these among others:

  • Intranet
  • Internet
  • Hybrid
  • Infrastructure-as-a-service (IaaS)
  • Platform-as-a-service (PaaS)
  • Software-as-a-service (SaaS)

Presumably, some or all of your cloud is not under your control, but your keys should be. A perpetrator may be a cloud administrator, hacker or mischievous user. These different threats, and these different forms of the cloud, require different approaches to data protection; but the underlying principle is that the data in the cloud must, at a minimum, be encrypted. Moreover, these keys that are used for encrypting the data must be properly managed.

Kerckhoffs’ principle is a nonnegotiable requirement if we are going to deploy any solution that serves cryptography for business as part of a secure cloud solution. Some secure data solutions can require millions of encryption keys; others generate and deploy over 250,000 encryption keys per year just to maintain alignment with enterprise policy and procedure. In order for a secure cloud solution that can serve organizations with these kinds of requirements to be considered, the key management strategy of the solution must be able to manage keys at this scale.

Whether we are talking about little clouds or big clouds, private clouds or public clouds, when we wonder whether the cloud can be secure, we can look to history and see that, according to Kerckhoffs, the answer is yes, the cloud can be secure. We just need good key management.


More from Cloud Security

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today